From 701908002bf1b34e9bf88ca0c3d2191a39bed0d1 Mon Sep 17 00:00:00 2001
From: Cody Oss <6331106+codyoss@users.noreply.github.com>
Date: Mon, 30 Aug 2021 16:23:26 -0600
Subject: [PATCH] fix(idtoken): provide default scope for cert endpoint (#1198)

When NewValidator is called without any options passed in it will
fail talking to the google cert endpoint because the dailed
authenticated client will not have proper scopes and leads to the
error: "invalid_scope". We should set a default scope so this method
can be called with no extra options.

Fixes: #1187
---
 idtoken/validate.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/idtoken/validate.go b/idtoken/validate.go
index 83efb3318f9..e2b84f0b67a 100644
--- a/idtoken/validate.go
+++ b/idtoken/validate.go
@@ -19,6 +19,7 @@ import (
 	"strings"
 	"time"
 
+	"google.golang.org/api/option/internaloption"
 	htransport "google.golang.org/api/transport/http"
 )
 
@@ -34,6 +35,10 @@ var (
 	now = time.Now
 )
 
+func defaultValidatorOpts() []ClientOption {
+	return []ClientOption{internaloption.WithDefaultScopes("https://www.googleapis.com/auth/cloud-platform")}
+}
+
 // Payload represents a decoded payload of an ID Token.
 type Payload struct {
 	Issuer   string                 `json:"iss"`
@@ -88,6 +93,7 @@ type Validator struct {
 // NewValidator creates a Validator that uses the options provided to configure
 // a the internal http.Client that will be used to make requests to fetch JWKs.
 func NewValidator(ctx context.Context, opts ...ClientOption) (*Validator, error) {
+	opts = append(defaultValidatorOpts(), opts...)
 	client, _, err := htransport.NewClient(ctx, opts...)
 	if err != nil {
 		return nil, err